-
Notifications
You must be signed in to change notification settings - Fork 2
82 lines (66 loc) · 3.18 KB
/
xygeni_scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# This is a basic workflow to help you get started with Actions
name: Xygeni CI/CD Security Scan
# Controls when the workflow will run
on:
push:
branches: [ "main" ]
# Triggers the workflow on pull request events for the "main" branch
pull_request_target:
branches: [ "main" ]
# Allows you to run this workflow manually from the Actions tab sd
workflow_dispatch:
env:
XY_USERNAME: ${{ secrets.XY_USERNAME_PRO }}
XY_PASSWORD: ${{ secrets.XY_PASSWORD_PRO }}
XY_URL: ${{ secrets.XY_URL_PRO }}
XY_PRJ_NAME: LGV-GH-${{ github.event.repository.name }}
jobs:
# This workflow contains a single job called "xygeni_security_scan"
xygeni_cicd_scan:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
# ref: "refs/pull/${{ github.event.number }}/merge"
# ref: ${{ github.event.pull_request.head.sha }}
steps:
- name: Cat event
run: echo EVENT ${{ github.event_name }}
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
name: Checking out PR code
if: ${{ github.event_name == 'pull_request_target' }}
with:
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Default: 1
fetch-depth: '0'
# This is to get the PR code instead of the repo code
ref: ${{ github.event.pull_request.head.sha }}
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
name: Checking out main code
if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
with:
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Default: 1
fetch-depth: '0'
# Runs a single command using the runners shell
- name: Git Log
run: git log
# Runs a single command using the runners shell
- name: Cat pr.yml
run: cat README.md
# Runs a set of commands using the runners shell
- name: Download Xygeni Scanner
run: |
echo Downloading Xygeni Scanner ....
curl -L https://get.xygeni.io/latest/scanner/install.sh | /bin/bash -s -- -u $XY_USERNAME -p $XY_PASSWORD -s $XY_URL -d ${GITHUB_WORKSPACE}/scanner
cat ${GITHUB_WORKSPACE}/scanner/conf/codetampering/ccm/workflow_modification.yml | grep changeTypesToConsider
sed -i 's/changeTypesToConsider: M/changeTypesToConsider: AM/g' ${GITHUB_WORKSPACE}/scanner/conf/codetampering/ccm/workflow_modification.yml
cat ${GITHUB_WORKSPACE}/scanner/conf/codetampering/ccm/workflow_modification.yml | grep changeTypesToConsider
# Runs a set of commands using the runners shell
- name: Execution Xygeni Scanner (vuln)
run: |
echo Executing Xygeni scan ....
${GITHUB_WORKSPACE}/scanner/xygeni scan --never-fail --run="inventory,misconf,codetamper" --no-conf-download -n ${{ env.XY_PRJ_NAME }} --dir ${GITHUB_WORKSPACE} -e **/scanner/**
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}